2 * security/tomoyo/domain.c
4 * Domain transition functions for TOMOYO.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
10 #include <linux/binfmts.h>
11 #include <linux/slab.h>
13 /* Variables definitions.*/
15 /* The initial domain. */
16 struct tomoyo_domain_info tomoyo_kernel_domain;
19 * tomoyo_update_policy - Update an entry for exception policy.
21 * @new_entry: Pointer to "struct tomoyo_acl_info".
22 * @size: Size of @new_entry in bytes.
23 * @param: Pointer to "struct tomoyo_acl_param".
24 * @check_duplicate: Callback function to find duplicated entry.
26 * Returns 0 on success, negative value otherwise.
28 * Caller holds tomoyo_read_lock().
30 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
31 struct tomoyo_acl_param *param,
32 bool (*check_duplicate) (const struct tomoyo_acl_head
34 const struct tomoyo_acl_head
37 int error = param->is_delete ? -ENOENT : -ENOMEM;
38 struct tomoyo_acl_head *entry;
39 struct list_head *list = param->list;
41 if (mutex_lock_interruptible(&tomoyo_policy_lock))
43 list_for_each_entry_rcu(entry, list, list) {
44 if (!check_duplicate(entry, new_entry))
46 entry->is_deleted = param->is_delete;
50 if (error && !param->is_delete) {
51 entry = tomoyo_commit_ok(new_entry, size);
53 list_add_tail_rcu(&entry->list, list);
57 mutex_unlock(&tomoyo_policy_lock);
62 * tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry.
64 * @a: Pointer to "struct tomoyo_acl_info".
65 * @b: Pointer to "struct tomoyo_acl_info".
67 * Returns true if @a == @b, false otherwise.
69 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
70 const struct tomoyo_acl_info *b)
72 return a->type == b->type;
76 * tomoyo_update_domain - Update an entry for domain policy.
78 * @new_entry: Pointer to "struct tomoyo_acl_info".
79 * @size: Size of @new_entry in bytes.
80 * @param: Pointer to "struct tomoyo_acl_param".
81 * @check_duplicate: Callback function to find duplicated entry.
82 * @merge_duplicate: Callback function to merge duplicated entry.
84 * Returns 0 on success, negative value otherwise.
86 * Caller holds tomoyo_read_lock().
88 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
89 struct tomoyo_acl_param *param,
90 bool (*check_duplicate) (const struct tomoyo_acl_info
92 const struct tomoyo_acl_info
94 bool (*merge_duplicate) (struct tomoyo_acl_info *,
95 struct tomoyo_acl_info *,
98 const bool is_delete = param->is_delete;
99 int error = is_delete ? -ENOENT : -ENOMEM;
100 struct tomoyo_acl_info *entry;
101 struct list_head * const list = param->list;
103 if (mutex_lock_interruptible(&tomoyo_policy_lock))
105 list_for_each_entry_rcu(entry, list, list) {
106 if (!tomoyo_same_acl_head(entry, new_entry) ||
107 !check_duplicate(entry, new_entry))
110 entry->is_deleted = merge_duplicate(entry, new_entry,
113 entry->is_deleted = is_delete;
117 if (error && !is_delete) {
118 entry = tomoyo_commit_ok(new_entry, size);
120 list_add_tail_rcu(&entry->list, list);
124 mutex_unlock(&tomoyo_policy_lock);
129 * tomoyo_check_acl - Do permission check.
131 * @r: Pointer to "struct tomoyo_request_info".
132 * @check_entry: Callback function to check type specific parameters.
134 * Returns 0 on success, negative value otherwise.
136 * Caller holds tomoyo_read_lock().
138 void tomoyo_check_acl(struct tomoyo_request_info *r,
139 bool (*check_entry) (struct tomoyo_request_info *,
140 const struct tomoyo_acl_info *))
142 const struct tomoyo_domain_info *domain = r->domain;
143 struct tomoyo_acl_info *ptr;
144 bool retried = false;
145 const struct list_head *list = &domain->acl_info_list;
148 list_for_each_entry_rcu(ptr, list, list) {
149 if (ptr->is_deleted || ptr->type != r->param_type)
151 if (check_entry(r, ptr)) {
158 list = &domain->ns->acl_group[domain->group];
164 /* The list for "struct tomoyo_domain_info". */
165 LIST_HEAD(tomoyo_domain_list);
168 * tomoyo_last_word - Get last component of a domainname.
170 * @name: Domainname to check.
172 * Returns the last word of @domainname.
174 static const char *tomoyo_last_word(const char *name)
176 const char *cp = strrchr(name, ' ');
183 * tomoyo_same_transition_control - Check for duplicated "struct tomoyo_transition_control" entry.
185 * @a: Pointer to "struct tomoyo_acl_head".
186 * @b: Pointer to "struct tomoyo_acl_head".
188 * Returns true if @a == @b, false otherwise.
190 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a,
191 const struct tomoyo_acl_head *b)
193 const struct tomoyo_transition_control *p1 = container_of(a,
196 const struct tomoyo_transition_control *p2 = container_of(b,
199 return p1->type == p2->type && p1->is_last_name == p2->is_last_name
200 && p1->domainname == p2->domainname
201 && p1->program == p2->program;
205 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
207 * @param: Pointer to "struct tomoyo_acl_param".
208 * @type: Type of this entry.
210 * Returns 0 on success, negative value otherwise.
212 int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
215 struct tomoyo_transition_control e = { .type = type };
216 int error = param->is_delete ? -ENOENT : -ENOMEM;
217 char *program = param->data;
218 char *domainname = strstr(program, " from ");
222 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
223 type == TOMOYO_TRANSITION_CONTROL_KEEP) {
224 domainname = program;
227 if (program && strcmp(program, "any")) {
228 if (!tomoyo_correct_path(program))
230 e.program = tomoyo_get_name(program);
234 if (domainname && strcmp(domainname, "any")) {
235 if (!tomoyo_correct_domain(domainname)) {
236 if (!tomoyo_correct_path(domainname))
238 e.is_last_name = true;
240 e.domainname = tomoyo_get_name(domainname);
244 param->list = ¶m->ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL];
245 error = tomoyo_update_policy(&e.head, sizeof(e), param,
246 tomoyo_same_transition_control);
248 tomoyo_put_name(e.domainname);
249 tomoyo_put_name(e.program);
254 * tomoyo_scan_transition - Try to find specific domain transition type.
256 * @list: Pointer to "struct list_head".
257 * @domainname: The name of current domain.
258 * @program: The name of requested program.
259 * @last_name: The last component of @domainname.
260 * @type: One of values in "enum tomoyo_transition_type".
262 * Returns true if found one, false otherwise.
264 * Caller holds tomoyo_read_lock().
266 static inline bool tomoyo_scan_transition
267 (const struct list_head *list, const struct tomoyo_path_info *domainname,
268 const struct tomoyo_path_info *program, const char *last_name,
269 const enum tomoyo_transition_type type)
271 const struct tomoyo_transition_control *ptr;
272 list_for_each_entry_rcu(ptr, list, head.list) {
273 if (ptr->head.is_deleted || ptr->type != type)
275 if (ptr->domainname) {
276 if (!ptr->is_last_name) {
277 if (ptr->domainname != domainname)
281 * Use direct strcmp() since this is
284 if (strcmp(ptr->domainname->name, last_name))
288 if (ptr->program && tomoyo_pathcmp(ptr->program, program))
296 * tomoyo_transition_type - Get domain transition type.
298 * @ns: Pointer to "struct tomoyo_policy_namespace".
299 * @domainname: The name of current domain.
300 * @program: The name of requested program.
302 * Returns TOMOYO_TRANSITION_CONTROL_TRANSIT if executing @program causes
303 * domain transition across namespaces, TOMOYO_TRANSITION_CONTROL_INITIALIZE if
304 * executing @program reinitializes domain transition within that namespace,
305 * TOMOYO_TRANSITION_CONTROL_KEEP if executing @program stays at @domainname ,
308 * Caller holds tomoyo_read_lock().
310 static enum tomoyo_transition_type tomoyo_transition_type
311 (const struct tomoyo_policy_namespace *ns,
312 const struct tomoyo_path_info *domainname,
313 const struct tomoyo_path_info *program)
315 const char *last_name = tomoyo_last_word(domainname->name);
316 enum tomoyo_transition_type type = TOMOYO_TRANSITION_CONTROL_NO_RESET;
317 while (type < TOMOYO_MAX_TRANSITION_TYPE) {
318 const struct list_head * const list =
319 &ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL];
320 if (!tomoyo_scan_transition(list, domainname, program,
325 if (type != TOMOYO_TRANSITION_CONTROL_NO_RESET &&
326 type != TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE)
329 * Do not check for reset_domain if no_reset_domain matched.
330 * Do not check for initialize_domain if no_initialize_domain
340 * tomoyo_same_aggregator - Check for duplicated "struct tomoyo_aggregator" entry.
342 * @a: Pointer to "struct tomoyo_acl_head".
343 * @b: Pointer to "struct tomoyo_acl_head".
345 * Returns true if @a == @b, false otherwise.
347 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a,
348 const struct tomoyo_acl_head *b)
350 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1),
352 const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2),
354 return p1->original_name == p2->original_name &&
355 p1->aggregated_name == p2->aggregated_name;
359 * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list.
361 * @param: Pointer to "struct tomoyo_acl_param".
363 * Returns 0 on success, negative value otherwise.
365 * Caller holds tomoyo_read_lock().
367 int tomoyo_write_aggregator(struct tomoyo_acl_param *param)
369 struct tomoyo_aggregator e = { };
370 int error = param->is_delete ? -ENOENT : -ENOMEM;
371 const char *original_name = tomoyo_read_token(param);
372 const char *aggregated_name = tomoyo_read_token(param);
373 if (!tomoyo_correct_word(original_name) ||
374 !tomoyo_correct_path(aggregated_name))
376 e.original_name = tomoyo_get_name(original_name);
377 e.aggregated_name = tomoyo_get_name(aggregated_name);
378 if (!e.original_name || !e.aggregated_name ||
379 e.aggregated_name->is_patterned) /* No patterns allowed. */
381 param->list = ¶m->ns->policy_list[TOMOYO_ID_AGGREGATOR];
382 error = tomoyo_update_policy(&e.head, sizeof(e), param,
383 tomoyo_same_aggregator);
385 tomoyo_put_name(e.original_name);
386 tomoyo_put_name(e.aggregated_name);
391 * tomoyo_find_namespace - Find specified namespace.
393 * @name: Name of namespace to find.
394 * @len: Length of @name.
396 * Returns pointer to "struct tomoyo_policy_namespace" if found,
399 * Caller holds tomoyo_read_lock().
401 static struct tomoyo_policy_namespace *tomoyo_find_namespace
402 (const char *name, const unsigned int len)
404 struct tomoyo_policy_namespace *ns;
405 list_for_each_entry(ns, &tomoyo_namespace_list, namespace_list) {
406 if (strncmp(name, ns->name, len) ||
407 (name[len] && name[len] != ' '))
415 * tomoyo_assign_namespace - Create a new namespace.
417 * @domainname: Name of namespace to create.
419 * Returns pointer to "struct tomoyo_policy_namespace" on success,
422 * Caller holds tomoyo_read_lock().
424 struct tomoyo_policy_namespace *tomoyo_assign_namespace(const char *domainname)
426 struct tomoyo_policy_namespace *ptr;
427 struct tomoyo_policy_namespace *entry;
428 const char *cp = domainname;
429 unsigned int len = 0;
430 while (*cp && *cp++ != ' ')
432 ptr = tomoyo_find_namespace(domainname, len);
435 if (len >= TOMOYO_EXEC_TMPSIZE - 10 || !tomoyo_domain_def(domainname))
437 entry = kzalloc(sizeof(*entry) + len + 1, GFP_NOFS);
440 if (mutex_lock_interruptible(&tomoyo_policy_lock))
442 ptr = tomoyo_find_namespace(domainname, len);
443 if (!ptr && tomoyo_memory_ok(entry)) {
444 char *name = (char *) (entry + 1);
446 memmove(name, domainname, len);
449 tomoyo_init_policy_namespace(entry);
452 mutex_unlock(&tomoyo_policy_lock);
459 * tomoyo_namespace_jump - Check for namespace jump.
461 * @domainname: Name of domain.
463 * Returns true if namespace differs, false otherwise.
465 static bool tomoyo_namespace_jump(const char *domainname)
467 const char *namespace = tomoyo_current_namespace()->name;
468 const int len = strlen(namespace);
469 return strncmp(domainname, namespace, len) ||
470 (domainname[len] && domainname[len] != ' ');
474 * tomoyo_assign_domain - Create a domain or a namespace.
476 * @domainname: The name of domain.
477 * @transit: True if transit to domain found or created.
479 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
481 * Caller holds tomoyo_read_lock().
483 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
486 struct tomoyo_domain_info e = { };
487 struct tomoyo_domain_info *entry = tomoyo_find_domain(domainname);
488 bool created = false;
492 * Since namespace is created at runtime, profiles may
493 * not be created by the moment the process transits to
494 * that domain. Do not perform domain transition if
495 * profile for that domain is not yet created.
497 if (!entry->ns->profile_ptr[entry->profile])
502 /* Requested domain does not exist. */
503 /* Don't create requested domain if domainname is invalid. */
504 if (strlen(domainname) >= TOMOYO_EXEC_TMPSIZE - 10 ||
505 !tomoyo_correct_domain(domainname))
508 * Since definition of profiles and acl_groups may differ across
509 * namespaces, do not inherit "use_profile" and "use_group" settings
510 * by automatically creating requested domain upon domain transition.
512 if (transit && tomoyo_namespace_jump(domainname))
514 e.ns = tomoyo_assign_namespace(domainname);
518 * "use_profile" and "use_group" settings for automatically created
519 * domains are inherited from current domain. These are 0 for manually
523 const struct tomoyo_domain_info *domain = tomoyo_domain();
524 e.profile = domain->profile;
525 e.group = domain->group;
527 e.domainname = tomoyo_get_name(domainname);
530 if (mutex_lock_interruptible(&tomoyo_policy_lock))
532 entry = tomoyo_find_domain(domainname);
534 entry = tomoyo_commit_ok(&e, sizeof(e));
536 INIT_LIST_HEAD(&entry->acl_info_list);
537 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
541 mutex_unlock(&tomoyo_policy_lock);
543 tomoyo_put_name(e.domainname);
544 if (entry && transit) {
546 struct tomoyo_request_info r;
547 tomoyo_init_request_info(&r, entry,
548 TOMOYO_MAC_FILE_EXECUTE);
550 tomoyo_write_log(&r, "use_profile %u\n",
552 tomoyo_write_log(&r, "use_group %u\n", entry->group);
559 * tomoyo_find_next_domain - Find a domain.
561 * @bprm: Pointer to "struct linux_binprm".
563 * Returns 0 on success, negative value otherwise.
565 * Caller holds tomoyo_read_lock().
567 int tomoyo_find_next_domain(struct linux_binprm *bprm)
569 struct tomoyo_request_info r;
570 char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
571 struct tomoyo_domain_info *old_domain = tomoyo_domain();
572 struct tomoyo_domain_info *domain = NULL;
573 const char *original_name = bprm->filename;
576 int retval = -ENOMEM;
577 bool need_kfree = false;
578 bool reject_on_transition_failure = false;
579 struct tomoyo_path_info rn = { }; /* real name */
581 mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
582 is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
591 /* Get symlink's pathname of program. */
593 rn.name = tomoyo_realpath_nofollow(original_name);
596 tomoyo_fill_path_info(&rn);
599 /* Check 'aggregator' directive. */
601 struct tomoyo_aggregator *ptr;
602 struct list_head *list =
603 &old_domain->ns->policy_list[TOMOYO_ID_AGGREGATOR];
604 /* Check 'aggregator' directive. */
605 list_for_each_entry_rcu(ptr, list, head.list) {
606 if (ptr->head.is_deleted ||
607 !tomoyo_path_matches_pattern(&rn,
612 /* This is OK because it is read only. */
613 rn = *ptr->aggregated_name;
618 /* Check execute permission. */
619 retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
620 if (retval == TOMOYO_RETRY_REQUEST)
625 * To be able to specify domainnames with wildcards, use the
626 * pathname specified in the policy (which may contain
627 * wildcard) rather than the pathname passed to execve()
628 * (which never contains wildcard).
630 if (r.param.path.matched_path) {
634 /* This is OK because it is read only. */
635 rn = *r.param.path.matched_path;
638 /* Calculate domain to transit to. */
639 switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname,
641 case TOMOYO_TRANSITION_CONTROL_RESET:
642 /* Transit to the root of specified namespace. */
643 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", rn.name);
645 * Make do_execve() fail if domain transition across namespaces
648 reject_on_transition_failure = true;
650 case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
651 /* Transit to the child of current namespace's root. */
652 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
653 old_domain->ns->name, rn.name);
655 case TOMOYO_TRANSITION_CONTROL_KEEP:
656 /* Keep current domain. */
660 if (old_domain == &tomoyo_kernel_domain &&
661 !tomoyo_policy_loaded) {
663 * Needn't to transit from kernel domain before
664 * starting /sbin/init. But transit from kernel domain
665 * if executing initializers because they might start
670 /* Normal domain transition. */
671 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
672 old_domain->domainname->name, rn.name);
677 domain = tomoyo_assign_domain(tmp, true);
680 else if (reject_on_transition_failure) {
681 printk(KERN_WARNING "ERROR: Domain '%s' not ready.\n", tmp);
683 } else if (r.mode == TOMOYO_CONFIG_ENFORCING)
687 if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) {
688 old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true;
690 tomoyo_write_log(&r, "%s", tomoyo_dif
691 [TOMOYO_DIF_TRANSITION_FAILED]);
693 "ERROR: Domain '%s' not defined.\n", tmp);
699 /* Update reference count on "struct tomoyo_domain_info". */
700 atomic_inc(&domain->users);
701 bprm->cred->security = domain;